The WannaCry ransomware attack highlights the need for a global strategy to use financial intelligence in tracking cybercriminals.

The WannaCry ransomware attack, launched by unidentified cybercriminals on 12 May, has disrupted public and private sector services globally, crippling more than three-dozen of Britain’s National Health Service Trusts.

The exact figures are imprecise, but some estimates put cybercrime as the top source of global criminal proceeds. Ransomware has featured heavily, but other forms of financially motivated cybercrime have also proved lucrative. This includes cyber-enabled fraud, such as credit card and ID theft, as well as large-scale bank thefts involving North Korea as a suspected perpetrator.

Practical IT security measures remain the best defence against cybercrime. However, as profits soar, counter-illicit finance techniques offer a promising means for tracking cybercriminals.

Vulnerable to Detection

Although cybercriminals operate in a virtual space, accessing their profits can result in the generation of tangible funds, accounts and property, making them vulnerable to detection and the seizure of criminal proceeds.

Because cybercriminals operate globally, tracing their funds requires governments to cooperate closely. However, attempts to crack down on illicit cybercrime proceeds to date have often been ad hoc and piecemeal.

Improved international coordination in tracing and seizing proceeds can help to build out the broader intelligence picture around cybercrime, while enhancing the disruptive impact of law enforcement action.

The WannaCry attack is a timely illustration of the need for a robust and coherent financial intelligence component in global counter-cybercrime efforts.

Victims of WannaCry were greeted by a message threatening that unless they made bitcoin payments of $300 or $600 they would have their files deleted permanently. The ransom notes demanded transfers to one of three bitcoin addresses, each of which can be viewed on the blockchain, bitcoin’s public transaction ledger.

Not all that Anonymous

Although bitcoin is often described as ‘anonymous’, the transparent nature of the blockchain makes the transfer of funds from one alphanumeric address to another visible and traceable. With WannaCry, as of today, the three addresses had received approximately 280 separate payments totalling 42.2 bitcoins, equal to roughly $77,400.

The bitcoins remain sitting with those three addresses, the use of which offers clues about the attackers’ possible motives.

For example, ransomware often generates a new, unique bitcoin address for each victim, so that criminals can decrypt a victim’s files after receiving the cryptocurrency at the unique address. This is the technique employed in certain versions of the prolific CryptoLocker ransomware, as well as other ransomware varieties.

The WannaCry attackers’ use of just three fixed bitcoin addresses suggests they have no intention to decrypt files: it is unclear how they would know which victims made ransom payments.

What's the Motive?

This has led some experts to speculate the attackers may have erred. In signalling that they are unlikely to decrypt files, the perpetrators may have disincentivised victims from paying. This could explain the relatively low volume of payments relative to the estimated 200,000 victims, a success rate of just 0.001% and a relatively modest sum for so many victims.

The attackers’ use of only three addresses also makes their financial activity potentially more vulnerable to detection. When criminals obtain bitcoin, they generally ‘cash out’ by converting their cryptocurrency into fiat currency, legal tender issued and backed by a government.

This often involves using a bitcoin exchange (a business that converts it to fiat currency) in jurisdictions that do not regulate them. Services for cashing out criminal bitcoin proceeds also exist on the dark web, a technique used by drug dealers.

At the point of cashing out, the risk of detection grows, but using a larger number of unique bitcoin addresses for laundering purposes along the way can decrease that risk.

Amateurs or Provocateurs?

It remains unconfirmed if the WannaCry attackers made an amateur mistake, or if their primary motivation was provocation, not profit. Some researchers have observed that WannaCry uses code similar to that employed by suspected North Korean-linked hackers in robbing Bangladesh’s central bank.

A direct North Korea connection remains far from confirmed, but, if established, might add credence to the view that, in the WannaCry case, profit motive was of secondary importance (although that theory hardly explains how a country building a reputation for audacious cybertheft could have failed to generate very large profits in this case).

The risk the attackers face if they move their bitcoin offers a lesson: for all the mystique surrounding the digital realm, cybercriminals must generally interact with the ‘real’ world if they want to enjoy their profits. Targeting those earnings will require enhancing the capacity and knowledge of relevant public sector agencies.

Training for the Future

The United Nations Office on Drugs and Crime has recently developed a training programme for improving law enforcement investigations into crimes involving cryptocurrencies. Such international efforts should be expanded to promote robust, coordinated global financial investigations into cybercrime cases more generally, including where they involve conventional money laundering approaches.

Although cybercriminals use new payment methods such as virtual currencies, which can require sophisticated analytical techniques, in many cases online crooks may not require highly technical money laundering methods.

For example, research by Europol suggests cybercriminals rely heavily on money mule activity, a simple but effective method that uses individuals to launder funds through their personal bank accounts.

Tried and tested investigative techniques for detecting illicit financial activity can play a role in identifying these schemes, although enhanced training and resourcing is necessary to keep pace with the scale of the global threat.

Building Robust Partnerships

Critical to success in tracing illicit cybercrime proceeds will be the establishment of robust public–private partnerships. Tracking financial flows around cybercrime will require a more fluid exchange of information between relevant stakeholders than exists at present.

Lateral approaches, such as expanding dialogue and information sharing between governments, the financial sector and non-financial sector businesses are also needed. Non-financial sector businesses that are targets of cybercrime can potentially be essential sources of information for financial intelligence agencies. They can also play a more effective role in tackling cybercrime if they understand the financial methods and motivations of cybercriminals.

Whatever the future of cybercrime, as it evolves, financial intelligence must not be left out of the picture.

Banner image: Thousands of computers, including in the NHS, have been attacked by ransomware called WannaCry, also known as WCry, WannaDecryptOr and WannaCrypt. Courtesy of Wikimedia.

Pages

The UK’s long-awaited National Cyber Security Strategy (NCSS) 2016 to 2021 was released this month after a delay due to Britain’s EU referendum and change in government. What does it say and what does it leave unanswered?

General Sir Richard Barrons has laid out his concerns about the defence and security postures adopted by the UK, NATO, and the West more generally, at a time of what he argues is a substantially increased threat to global peace and security.

In his appeal to the House of Commons to extend UK anti-Daesh operations to Syria, the prime minister cited unique RAF capabilities, in particular the Brimstone anti-armour missile and MQ-9 Reaper. What contributions can the RAF bring to the campaign in Syria?

Pages

While not a new phenomenon, the use of spy and stealth technology in space continues to have an impact on how security is viewed in this domain. Understanding the implications is becoming increasingly important

Corporate

Individual

RUSI members enjoy privileged access to the RUSI Journal, Newsbrief and Defence Systems as well as invitations to our full programme of exclusive members’ lectures and seminars. Members also have access to our renowned Library of Military History and online catalogue.